On 11-03-16 04:35 PM, Frederick Grose wrote:
On Wed, Mar 16, 2011 at 6:50 PM, Hiram Clawsonhiram@soe.ucsc.edu wrote:
What prevents the black hat google spammers from creating OpenID accounts ?
--Hiram
Frederick Grose wrote:
Install http://www.mediawiki.org/wiki/Extension:OpenID and disable new account creation, instead, redirect users to the OpenID account page, Special:OpenIDLogin.
I suspect that that simply doesn't fit their attack plan or program. Perhaps there are other obstacles in taking that route, such as better filtering by the OpenID providers.
--Fred
Anyone can be an OpenID provider, there is even less filtering and control. Spammers could create their own private OpenID provider for their spam accounts and without any CAPTCHA or anything else in their way. It's like e-mail.
This is just a game of whack-a-mole. The spambots have to be programmed, naturally they can't take every single situation into account. So they start, we find a way to stop them. They find a way to bypass that. We find another way to stop that, they find another way to bypass that. The spammers haven't coded the bots to handle QuestyCaptcha yet, but if people start using it to stop them, then they will code it into the bot. If you use OpenID to stop them, they'll code OpenID into the bots (and in the meantime you may irritate your potential userbase a bit). I wrote a AbuseFilter filter to deal with a pattern like this on a wiki, made that spam pattern require an extra confirmation page. Bots stopped since they weren't coded to use the confirmation form. Sure enough after a bit I started seeing the same spam, naturally the bots were now using the confirmation form. So I had to elevate it to deny. Later I had to elevate it to autoblock of users using that spam pattern.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]